[Logcheck-devel] Bug#764062: logcheck-database: does not filter amavis CLEAN messages
Jérôme Drouet
jerome.drouet at gmail.com
Thu Oct 16 22:57:07 UTC 2014
rules from /etc/logcheck/ignore.d.server/amavisd-new does not handle
correctly this one too :
Oct 16 22:51:57 mailserver amavis[32039]: (32039-11) Passed CLEAN
{RelayedInbound}, [10.0.0.1]:39213 [10.0.0.1] <root at domain.com> -> <
root at domain.com>, Queue-ID: 8589710013F, Message-ID: <
20141016205157.1B85842A6 at mailserver.domain.com>, mail_id: DpzmaAs5yyiC,
Hits: 4.799, size: 786, queued_as: B5161100158, 140 ms
note the [IP_ADDRESS]:PORT [IP_ADDRESS] does not match rules
furthermore there might be "_" character in "mail_id" field not matched in
default rules
this rule seem ok for both problems (derivated from 1.3.15 but no visible
change in 1.3.16) :
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]:
\([-[:digit:]]+\) Passed (CLEAN|SPAM(MY)?)( {RelayedInbound})?,( LOCAL)?(
\[(IPv6:)?[[:xdigit:].:]{3,39}\](:[[:xdigit:]]{0,5})?){0,2} <[^>]*> ->
<[^>]*>(,<[^>]*>)*,( quarantine:
([[:alnum:]]/)?spam-[-+[:alnum:]]+(\.gz)?,)?( Queue-ID: [[:xdigit:]]*,)?(
Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?(
Resent-Message-ID: <[^>]+>,)? mail_id: [-+_[:alnum:]]+, Hits:
(-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK
id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20141017/9f3121dd/attachment.html>
More information about the Logcheck-devel
mailing list